Техническая информация
Вредоносные функции:
Для обхода брандмауэра удаляет или модифицирует следующие ключи реестра:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%ProgramFiles%\Ventrilo\Ventrilo.exe' = '%ProgramFiles%\Ventrilo\Ventr...
Изменения в файловой системе:
Создает следующие файлы:
- %ProgramFiles%\Ventrilo\Doc\wav3.jpg
- %ProgramFiles%\Ventrilo\Doc\setupvoice.htm
- %ProgramFiles%\Ventrilo\Doc\setup.htm
- %ProgramFiles%\Ventrilo\Doc\wav2.jpg
- %ProgramFiles%\Ventrilo\Doc\setupbinds.htm
- %ProgramFiles%\Ventrilo\Doc\test.jpg
- %ProgramFiles%\Ventrilo\Doc\usereditor-chanauth.htm
- %ProgramFiles%\Ventrilo\Doc\usereditor-transmit.htm
- %ProgramFiles%\Ventrilo\Doc\usereditor.htm
- %ProgramFiles%\Ventrilo\Doc\sfx.htm
- %ProgramFiles%\Ventrilo\Doc\grptrgeditor.htm
- %ProgramFiles%\Ventrilo\Doc\wav1.jpg
- %ProgramFiles%\Ventrilo\Doc\monitorbadsource.jpg
- %ProgramFiles%\Ventrilo\Doc\srvprop.htm
- %ProgramFiles%\Ventrilo\Doc\properties.gif
- %ProgramFiles%\Ventrilo\Doc\user.htm
- %ProgramFiles%\Ventrilo\Doc\setupvoicetraining.htm
- %ProgramFiles%\Ventrilo\Doc\server.htm
- %ProgramFiles%\Ventrilo\Doc\channel.htm
- %ProgramFiles%\Ventrilo\Doc\binds.htm
- %ProgramFiles%\Ventrilo\Doc\logo_small.jpg
- %ProgramFiles%\Ventrilo\Doc\recordingcontrol.gif
- %ProgramFiles%\Ventrilo\Doc\monitorbegin.jpg
- %ProgramFiles%\Ventrilo\Doc\useroptions.htm
- %ProgramFiles%\Ventrilo\Doc\device-overlay.htm
- %ProgramFiles%\Ventrilo\Doc\device-logitech-g19.htm
- %ProgramFiles%\Ventrilo\Doc\device-logitech-g35.htm
- %ProgramFiles%\Ventrilo\Doc\device-logitech-g15.htm
- %ProgramFiles%\Ventrilo\Ventrilo.exe
- %WINDIR%\Installer\MSIA.tmp
- %WINDIR%\Installer\MSIC.tmp
- %WINDIR%\Installer\238dd.msi
- %HOMEPATH%\Desktop\Ventrilo.lnk
- %HOMEPATH%\Start Menu\Programs\Ventrilo\Ventrilo.lnk
- %ProgramFiles%\Ventrilo\default.vet
- %ProgramFiles%\Ventrilo\Doc\usereditor-info.htm
- %ProgramFiles%\Ventrilo\Doc\usereditor-chanadmin.htm
- %ProgramFiles%\Ventrilo\Doc\grptrgvoice.htm
- %ProgramFiles%\Ventrilo\Doc\grptrgcmd.htm
- %ProgramFiles%\Ventrilo\Doc\usereditor-admin.htm
- %ProgramFiles%\Ventrilo\Doc\usereditor-display.htm
- %ProgramFiles%\Ventrilo\privchatmsg.wav
- %ProgramFiles%\Ventrilo\Doc\setupoverlay.htm
- %ProgramFiles%\Ventrilo\privchatopen.wav
- %ProgramFiles%\Ventrilo\Doc\rank.htm
- %ProgramFiles%\Ventrilo\Doc\usereditor-network.htm
- %WINDIR%\Installer\MSI7.tmp
- %WINDIR%\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
- %WINDIR%\Installer\MSI6.tmp
- %WINDIR%\Installer\MSI4.tmp
- %WINDIR%\Installer\MSI5.tmp
- %WINDIR%\Installer\238db.ipi
- %ProgramFiles%\Ventrilo\disconnect.wav
- %ProgramFiles%\Ventrilo\MuteMic.wav
- %ProgramFiles%\Ventrilo\MuteSound.wav
- %WINDIR%\Installer\MSI8.tmp
- C:\Config.Msi\238dc.rbs
- %WINDIR%\Installer\238d9.msi
- %TEMP%\vent9x.exe
- %TEMP%\Ventrilo.reg
- %TEMP%\vent32.exe
- %TEMP%\nse2.tmp
- %TEMP%\vent64.exe
- %TEMP%\vent.bat
- %TEMP%\RarSFX0\ventrilo-3.0.5-Windows-i386.exe
- %CommonProgramFiles%\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_5.MSI
- %TEMP%\nsw3.tmp\GetVersion.dll
- %APPDATA%\Ventrilo\ventrilo2.ini
- %TEMP%\nsw3.tmp\nsisos.dll
- %ProgramFiles%\Ventrilo\Doc\record.htm
- %ProgramFiles%\Ventrilo\Doc\setupnetwork.htm
- %ProgramFiles%\Ventrilo\Doc\monitor.jpg
- %ProgramFiles%\Ventrilo\Doc\setupevents.htm
- %ProgramFiles%\Ventrilo\Doc\playcontrol.gif
- %ProgramFiles%\Ventrilo\Doc\setupmisc.htm
- %ProgramFiles%\Ventrilo\Doc\main.jpg
- %ProgramFiles%\Ventrilo\Doc\main.htm
- %ProgramFiles%\Ventrilo\Doc\setupglobal.htm
- %ProgramFiles%\Ventrilo\Doc\setupspeech.htm
- %ProgramFiles%\Ventrilo\Doc\mainmenu.jpg
- %ProgramFiles%\Ventrilo\connect.wav
- %ProgramFiles%\Ventrilo\SwitchBindings.wav
- %ProgramFiles%\Ventrilo\missing.wav
- %ProgramFiles%\Ventrilo\MicKeyUp.wav
- %ProgramFiles%\Ventrilo\Binds.wav
- %ProgramFiles%\Ventrilo\ChannelJoin.wav
- %ProgramFiles%\Ventrilo\ChannelLeave.wav
- %ProgramFiles%\Ventrilo\MicKeyDown.wav
- %ProgramFiles%\Ventrilo\UserDisconnect.wav
- %ProgramFiles%\Ventrilo\UserComment.wav
- %ProgramFiles%\Ventrilo\UserConnect.wav
- %ProgramFiles%\Ventrilo\Channel.wav
Удаляет следующие файлы:
- %WINDIR%\Installer\MSIC.tmp
- C:\Config.Msi\238dc.rbs
- %WINDIR%\Installer\238d9.msi
- %TEMP%\RarSFX0\ventrilo-3.0.5-Windows-i386.exe
- %WINDIR%\Installer\238db.ipi
- %WINDIR%\Installer\MSI8.tmp
- %WINDIR%\Installer\MSI5.tmp
- %WINDIR%\Installer\MSI4.tmp
- %WINDIR%\Installer\MSI6.tmp
- %WINDIR%\Installer\MSIA.tmp
- %WINDIR%\Installer\MSI7.tmp
Другое:
Ищет следующие окна:
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
Создает и запускает на исполнение:
- '%TEMP%\RarSFX0\ventrilo-3.0.5-Windows-i386.exe' /QUIET
- '%TEMP%\vent32.exe'
Запускает на исполнение:
- '<SYSTEM32>\cmd.exe' /c vent.bat
- '%WINDIR%\regedit.exe' /s Ventrilo.reg
- '<SYSTEM32>\msiexec.exe' -Embedding 3449C7B2326D7774866E46F31827B738
- '<SYSTEM32>\msiexec.exe' /QUIET /I "%CommonProgramFiles%\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_5.MSI" WISE_SETUP_EXE_PATH="%TEMP%\RarSFX0\ventrilo-3.0.5-Windows-i386.exe"
- '<SYSTEM32>\msiexec.exe' /V
